Have you heard the phrase or “rule” that technology doubles every 18 months?
Moore’s law, coined in 1965, states that the number of transistors in an integrated circuit (IC) doubles every two years.
Given the current state of technological and AI advancement (which we’ll get to plenty later), it feels like we’re advancing closer to every 18 hours these days.
This is all to say that it can be incredibly challenging to predict what a year in a field like cybersecurity will look like. Yet, still, we find it important to share what we think will take center stage this year.
If you’d to like to listen to the conversation these stemmed from, tune into our predictions episode of the Unsecurity podcast above, but we include additional context and commentary on these topics here.
Awareness plays a pivotal role in prioritizing security initiatives and avoiding costly missteps. So, here are some of our expert cybersecurity predictions for the industry in 2025—some things you can watch out for and consider heading into this new year.
The New Administration May Roll Back Regulations
Political thoughts, opinions, and feelings aside, each new administration brings change. And with there being a new president this year for the first time in four, we can expect to see differences in how cybersecurity is handled.
Cybersecurity Maturity Model Certification (CMMC)
CMMC is a regulation that aims to improve how government contractors (of the Department of Defense, specifically) handle and secure controlled unclassified information (CUI).
The final rule was newly implemented in December 2024, but the new administration may change how this requirement is handled. Originally scheduled to be a phased rollout into contracts over the next few years, we may see a relaxation in the requirements.
Frankly, there are challenges with the requirement. Namely, there aren’t enough independent contractors who have gone through the process to become auditors—and the rule requires third-party control validation. Additionally, this is an expensive certification to pursue, and small businesses may choose not to get certified after conducting a profit-loss analysis.
With these factors in mind, here are some predictions for CMMC this year:
- The government may make this certification more of an opt-in than a requirement.
- Since it may not make sense for small organizations to pursue this financially, but the government still requires their goods or services, we may see acquisitions of smaller contractors.
- Despite this, we expect prime contractors will still require CMMC from their subcontractors.
It should be noted—we’re not telling you to relax on your CMMC efforts. With the final rule initiated, you should be making strides toward certification as if the rule will move forward unchanged.
HIPAA Requirements
Another regulation that may see some changes in 2025 is HIPAA.
In January 2024, the Department of Health & Human Services (HHS) launched its Cybersecurity Performance Goals (GPGs) to set a floor of cybersecurity best practices for healthcare organizations.
These security practices are currently voluntary, even though we anticipated regulatory agencies to enforce the requirements by the end of 2024 through existing regulations like HIPAA.
These requirements have already been more hesitant than CMMC, so we could reasonably expect to see this take a backseat with the new administration.
AI Cybersecurity Predictions. Yes, Again.
We might be going on year three of AI being the “topic of the year,” but it will look a little different in 2025.
The conversation has drastically shifted from building and implementing AI. Large Language Models (LLMs) have already been woven into the fabric of our businesses’ day-to-day. So now, instead of wondering what we do with them, it’s time to talk about the integrity and security of these models.
AI Prediction #1: Monitoring Data Integrity
“AI and LLMs have been implemented into critical business processes at racetrack speed without any real forethought of the implications of the data and how it’s handled.” —Oscar Minks, FRSecure President
It’s dangerous to be over-reliant on AI. We need to think critically about the information being given to us instead of simply taking it for truth given the speed of implementation and the biases.
We do see value in these tools, but the nature of our industry is that we must look at things from a different lens. We’re not saying this is full-blown doomsday and not to use these tools—just use them responsibly.
What are the guidelines and processes for regulating the LLM model and if it’s susceptible to bias?
This will be the shift in 2025. It’s no longer about what can we do with AI. Instead, we will focus on understanding AI and LLMs more and testing and monitoring the models solely for integrity.
Data integrity is the primary concern. If you make decisions based on bad input, there’s going to be bad outcomes.
AI Prediction #2: Ramifications
Speaking of bad outcomes—we also expect some drastically bad situations to stem directly from AI usage this year.
We will likely see critical issues because of corruption or bias within the models and the speed of implementation.
The Ultimate Mistake
We could also see something as directly harmful as an inappropriate or inaccurate medical treatment due to an AI suggestion or flawed data behind a pharmaceutical study.
Yes, it would not be surprising for us to see an AI-informed death this year.
Would a death be the spark needed for regulatory bodies to step in quicker? We need to see the government or regulatory agency step up and create some responsible rules for AI and LLMs, and this feels like it would be an obvious alarm.
It may start with UHG instead, though.
Legal Implications
Unless you’ve been living under a rock the last few months, you likely know that the CEO of United Healthcare Group was assassinated on the street in New York City.
And while the exact motive for this is unknown, many have pointed to UHG’s newish AI model. Essentially, this LLM was put in place to review claims at a quicker rate—cutting decision time down to 5-10 minutes in some instances.
However, it’s been reported that UHG used the model to pressure employees to deny claims, and it had nearly a 90% inaccuracy rate.
This has garnered the attention of the entire nation, and an impending (very public) lawsuit would most certainly have top businesses being more careful with their approach to AI implementation.
Major Events More Likely to Spark Change
The CrowdStrike outage was another major event that hit the headlines in 2024. And while this wasn’t a security-related incident, it did serve as a reminder about incidents in general and disaster recovery.
Delta experienced similar organization-wide outages in 2024 that grounded many thousands of travelers.
While these may not have been AI-caused incidents, it would not be surprising for similar incidents to occur that are.
And frankly, this may be what we truly need to spark change.
The question was already posed whether an AI-influenced death would be reason enough for regulatory bodies to step in. But the sad (and admittedly cynical) reality is that we may not even hear about an isolated incident like that occurring—let alone care.
Typically for major change to occur, two things need to happen.
The first is that many people need to be affected by it. One isolated incident is too easy to brush off as an anomaly—unimpactful to the average person.
The second is that the disgruntled masses of everyday citizens need to stand up and take concerns to legislative bodies. Otherwise, it’ll be status quo until it’s too late.
We’re breach and notification fatigued. An AI-related breach or incident that grounds all travel, stops people from being able to do their jobs, loses a bunch of money, etc. is an easy cybersecurity prediction this year. And that type of impact would break the fatigue and create a reaction to force the government’s hand in stepping in to regulate how we use AI.
AI Prediction #3: Monetization of Deepfakes
Deepfakes have become well-known use cases for AI. These videos spoof real humans and are used to make people seem as though they’re saying something they have not.
You may have seen some of these in 2024. Near election cycles, deepfakes are great tools for nation-state-motivated attackers.
The technology doesn’t just suddenly stop becoming impressive because we’re not in an election year, though. Attackers are clever and will still find ways to utilize these.
With nation-state espionage, the biggest motivator for attackers continues to be monetary gain. We’re predicting that attackers will continue to create deepfakes, but to make money in 2025.
AI Prediction #4: Drive-By Attacks from Cloned Sites
Humans aren’t the only things that AI can be used to help replicate or spoof.
One of the most immediately positive use cases of AI is the decrease in time it takes to develop and write code, and the accuracy of that code. But this means that AI can also be used to quickly replicate credible websites.
Pair that with a recent attack trend where bad actors buy up the advertising space on Google search results, and you’ve got a cocktail for compromise.
We predict that these drive-by attacks will not only increase but also successfully bait their targets at a higher rate given the ease and effectiveness of these AI builders.
A Word of Advice
Especially for things like your online bank, but really anything sensitive in nature that you have a login for, manually enter the URL for the official login page and bookmark it in your browser.
We highly recommend that you never Google search for these sites, and more importantly, we urge you never to input your credentials into a site you landed on via search.
Post-Quantum Cryptography
What’s old is new. The first quantum cryptography protocol was invented in 1984. At its core, quantum cryptography (or quantum encryption) secures the transmission of data by encrypting it through laws of physics as opposed to principles of mathematics.
Compared to our best traditional computers, quantum computers have the potential to solve complex problems orders of magnitude faster. And there’s an expected rise in quantum computing.
This is great for cyber attackers. What would have traditionally taken thousands of hours to crack an encryption code could potentially be done in a matter of minutes or seconds with quantum computing.
“If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use.”
Security professionals need to adapt. We expect to see an influx of post-quantum cryptography (PQC) as a result.
PQC, instead of using mathematical models to scramble data, will utilize variations of old math problems called lattice and hash problems. Experts believe these will be hard to solve for both quantum computers and conventional computers.
It can take many years for new algorithms to become standard, and while we’re likely a way away from quantum computing becoming a norm, we should start to see strides being made in PQC this year to get ahead of it.
Device and Application Authorization
Each year, FRSecure’s incident handling team responds to more than 75 incidents.
In 2024, we still saw an influx of EvilProxy and man-in-the-middle attacks.
EvilProxy is a phishing-as-a-service platform that uses reverse proxy and cookie injection methods to bypass multifactor authentication (MFA). A man-in-the-middle attack sits between two communicating parties and intercepts communication.
Now, this is not to say that MFA is obsolete. Quite the contrary. It is our firm belief that MFA is a baseline requirement—it’s just not enough.
Because of these attacks and their prominence in 2024, we’re expecting to see an improvement in conditional access policies focused on device and application authorization.
A Cyber Insurance Renaissance
Globally in 2024, cyber insurance premiums rose 28%.
The harsh reality is that underwriters don’t have the intel or understanding to process the risk associated with covering these businesses—despite the entire industry being one that’s built on risk management.
With the rising costs of cyber insurance, we’re predicting two things:
- Cyber insurance will become more expensive than it would be to implement security practices and controls to help prevent these incidents in the first place.
- The cyber insurance industry will need to make changes because of this.
A Recap
Security awareness plays a pivotal role in prioritizing initiatives and avoiding costly missteps. Here is a summary of our 2025 cybersecurity predictions:
- While AI will remain at the center stage of the cybersecurity landscape, the conversations and focuses around LLMs will shift.
- A reprioritization to monitoring and data integrity will occur.
- We will see an AI-influenced death.
- A major outage or breach will force regulators’ hands. Lawsuits are impending.
- Attackers will find ways to monetize deepfakes, and we’ll see them more because of it.
- Be on the lookout for drive-by attacks with the coding and site cloning improvements as they become more prevalent.
- Regulatory requirements we’ve both been anticipating for a while and seemingly solidified may suddenly see more revisions.
- CMMC and HIPAA may both see rollbacks or delays.
- The cyber insurance industry needs a revamp, and we’ll see one. The cost of doing security right will be less than paying incident coverage.
- We will see an improvement in conditional access policies focused on device and application authorization.
- Post-quantum cryptography and encryption standard development will be initiated to get ahead of quantum computing.
What do you think we’ll see this year? Let us know in the comments if you have additional or different 2025 cybersecurity predictions!
And, as always, if you need assistance with any of these topics within your organization’s security practices, give us a shout!